Command Injection Vulnerability in TP-Link Archer Routers
CVE-2026-5509

8.5HIGH

Key Information:

Vendor

Tp-link Systems Inc.

Status
Archer Be7200 V1
Archer Be450 V1
Vendor
CVE Published:
27 May 2026

What is CVE-2026-5509?

An authenticated command injection vulnerability affects TP-Link Archer BE450 and BE7200 routers, allowing attackers who gain admin access to execute arbitrary system commands via the web management interface. Utilizing the developer console, attackers can input crafted commands that bypass sanitization measures, leading to the potential full compromise of the router's operating environment. This exploitation can result in the initiation of unauthorized services, configuration changes, and overall destabilization of network security. It is crucial for users to apply the latest firmware updates to safeguard their devices.

Affected Version(s)

Archer BE450 v1 0 < 1.3.0 Build 20260416

Archer BE7200 V1 0 < 1.3.0 Build 20260416

References

https://www.tp-link.com/en/support/download/archer-be450/...
patch
https://www.tp-link.com/jp/support/download/archer-be450/...
patch
https://www.tp-link.com/jp/support/download/archer-be7200...
patch

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chuya Hayakawa of 00One, Inc.
.